feat: [MINT-4816] Update remaining xss template escaping (#221)

Author: aarondeane-extend

view/adminhtml/templates/order/creditmemo/create/totals/sp-adjustment.phtml

@@ -6,6 +6,8 @@
 
 /** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */
 /** @var \Extend\Integration\Block\Adminhtml\Sales\Order\Creditmemo\Totals $block */
+/** @var $escaper \Magento\Framework\Escaper */
+
 $shippingProtectionPrice = $block->getShippingProtection();
 if ($block->isSpgSpRemovedFromCreditMemo()) {
   $shippingProtectionPrice = '';
@@ -15,34 +17,36 @@ if ($block->isSpgSpRemovedFromCreditMemo()) {
 <?php if ($block->getOriginalShippingProtection() > 0 || $block->isSpSpg()): ?>
     <tr>
         <td class="label">
-            <?= $block->escapeHtml(__('Shipping Protection')) ?>
+            <?= $escaper->escapeHtml(__('Shipping Protection')) ?>
             <div id="shipping_protection_adv"></div>
             <div class="sp-buttons-container" id="extend_sp_buttons_container">
                 <?php if ($block->isSpSpg()): ?>
-                    <button name="spg-add" type="button" class="zero" id="extend_sp_buttons_container__spg_add"><?=__('Add to Refund')?></button>
-                    <button name="spg-remove" type="button" class="full" id="extend_sp_buttons_container__spg_remove"><?=__('Remove from Refund')?></button>
+                    <button name="spg-add" type="button" class="zero" id="extend_sp_buttons_container__spg_add"><?= $escaper->escapeHtml(__('Add to Refund')) ?></button>
+                    <button name="spg-remove" type="button" class="full" id="extend_sp_buttons_container__spg_remove"><?= $escaper->escapeHtml(__('Remove from Refund')) ?></button>
                 <?php else: ?>
-                    <button name="full" type="button" class="full" id="extend_sp_buttons_container__full"><?=__('Full')?></button>
-                    <button name="zero" type="button" class="zero" id="extend_sp_buttons_container__zero"><?=__('0')?></button>
+                    <button name="full" type="button" class="full" id="extend_sp_buttons_container__full"><?= $escaper->escapeHtml(__('Full')) ?></button>
+                    <button name="zero" type="button" class="zero" id="extend_sp_buttons_container__zero"><?= $escaper->escapeHtml(__('0')) ?></button>
                 <?php endif; ?>
             </div>
         </td>
         <td>
             <input type="text"
                 name="creditmemo[shipping_protection]"
-                data-full="<?= /* @noEscape */ $block->getOriginalShippingProtection() ?>"
-                value="<?= /* @noEscape */ $shippingProtectionPrice ?>"
+                data-full="<?= $escaper->escapeHtmlAttr($block->getOriginalShippingProtection()) ?>"
+                value="<?= $escaper->escapeHtmlAttr($shippingProtectionPrice) ?>"
                 class="input-text admin__control-text not-negative-amount"
                 readonly="readonly"
                 id="shipping_protection"/>
-            <?php $scriptString = <<<script
+            <?php
+            $validationMessage = $escaper->escapeJs(__('Please enter a positive number in this field.'));
+            $scriptString = <<<script
                 require(['prototype'], function(){
 
                 //<![CDATA[
                 Validation.addAllThese([
                     [
                         'not-negative-amount',
-                        '{$block->escapeJs(__('Please enter a positive number in this field.'))}',
+                        '{$validationMessage}',
                         function (v) {
                             if (v.length)
                                 return /^\s*\d+([,.]\d+)*\s*%?\s*$/.test(v);

view/adminhtml/templates/system/config/create_demo_integration.phtml

@@ -6,12 +6,13 @@
 
 /** @var \Extend\Integration\Block\Adminhtml\System\Config\CreateDemoIntegration $block */
 /** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */
+/** @var $escaper \Magento\Framework\Escaper */
 ?>
-<?php $buttonUrl = $block->escapeJs($block->getButtonUrl()); ?>
+<?php $buttonUrl = $escaper->escapeJs($block->getButtonUrl()); ?>
 <div class="actions actions-create-integration">
     <p class="admin__field-error hidden" id="validation_result"></p>
     <button class="action-create-integration" type="button" id="<?= /* @noEscape */ $block->getHtmlId() ?>">
-        <span><?= $block->escapeHtml($block->getButtonLabel()) ?></span>
+        <span><?= $escaper->escapeHtml($block->getButtonLabel()) ?></span>
     </button>
 </div>
 <?= /* @noEscape */ $secureRenderer->renderTag('style', [], '#validation_result {margin-bottom: 10px;}', false); ?>

view/adminhtml/templates/system/config/create_prod_integration.phtml

@@ -6,12 +6,13 @@
 
 /** @var \Extend\Integration\Block\Adminhtml\System\Config\CreateProdIntegration $block */
 /** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */
+/** @var $escaper \Magento\Framework\Escaper */
 ?>
-<?php $buttonUrl = $block->escapeJs($block->getButtonUrl()); ?>
+<?php $buttonUrl = $escaper->escapeJs($block->getButtonUrl()); ?>
 <div class="actions actions-create-integration">
     <p class="admin__field-error hidden" id="validation_result"></p>
     <button class="action-create-integration" type="button" id="<?= /* @noEscape */ $block->getHtmlId() ?>">
-        <span><?= $block->escapeHtml($block->getButtonLabel()) ?></span>
+        <span><?= $escaper->escapeHtml($block->getButtonLabel()) ?></span>
     </button>
 </div>
 <?= /* @noEscape */ $secureRenderer->renderTag('style', [], '#validation_result {margin-bottom: 10px;}', false); ?>

view/adminhtml/templates/system/config/finish-integration-steps.phtml

@@ -1,4 +1,7 @@
 <?php
+/** @var $block \Extend\Integration\Block\Adminhtml\Integration\Edit\Tab\FinishIntegration */
+/** @var $escaper \Magento\Framework\Escaper */
+
 $status = $block->getActiveIntegrationStatusOnStore();
 $showTimeline = $status !== 4 && $status !== 3;
 ?>
@@ -21,9 +24,9 @@ $showTimeline = $status !== 4 && $status !== 3;
 
                 <?php if ($status === 0): ?>
                     <div class="extend-timeline-item-body">
-                        <p>The <strong><?= $this->getCurrentIntegrationName() ?></strong> integration is not yet enabled. Please follow the steps detailed on the <a href="<?= $block->getDefaultScopeUrl() ?>">Extend Settings</a> page to complete
+                        <p>The <strong><?= $escaper->escapeHtml($block->getCurrentIntegrationName()) ?></strong> integration is not yet enabled. Please follow the steps detailed on the <a href="<?= $escaper->escapeUrl($block->getDefaultScopeUrl()) ?>">Extend Settings</a> page to complete
                             your setup and integration this store with Extend.</p>
-                        <button class="action-primary" name="finish_integration" type="button" onclick="document.location.href='<?= $block->getDefaultScopeUrl() ?>';">
+                        <button class="action-primary" name="finish_integration" type="button" onclick="document.location.href='<?= $escaper->escapeJs($block->getDefaultScopeUrl()) ?>';">
                             <span><?= __('Finish Integration') ?></span>
                         </button>
                     </div>
@@ -35,7 +38,7 @@ $showTimeline = $status !== 4 && $status !== 3;
                 <div class="extend-timeline-item-label">Sync Store with Extend</div>
                 <?php if ($status === 1 || $status === 5): ?>
                     <div class="extend-timeline-item-body">
-                        <p>The current integration is <strong><?= $this->getCurrentIntegrationName() ?></strong>.</p>
+                        <p>The current integration is <strong><?= $escaper->escapeHtml($block->getCurrentIntegrationName()) ?></strong>.</p>
                         <div>
                             <input type="checkbox" name="activate_current_store" id="activate_current_store" />
                             <label for="activate_current_store">Add Store to current Integration</label>
@@ -53,16 +56,16 @@ $showTimeline = $status !== 4 && $status !== 3;
                 <div class="extend-timeline-item-label">Integration Complete</div>
                 <?php if ($status === 2): ?>
                     <div class="extend-timeline-item-body">
-                        <p>The current integration is <strong><?= $this->getCurrentIntegrationName() ?></strong>.</p>
+                        <p>The current integration is <strong><?= $escaper->escapeHtml($block->getCurrentIntegrationName()) ?></strong>.</p>
                         <div>
                             <input type="checkbox" name="activate_current_store" id="activate_current_store" checked disabled />
                             <label for="activate_current_store">Add Store to current Integration</label>
                         </div>
                         </br>
-                        <?php if ($this->getExtendStoreUuid()): ?>
+                        <?php if ($block->getExtendStoreUuid()): ?>
                             <div>
                                 <label for="extend_store_id">Extend Store ID</label>
-                                <input type="text" value="<?= $this->getExtendStoreUuid() ?>" name="extend_store_id" id="extend_store_id" maxlength="36" disabled />
+                                <input type="text" value="<?= $escaper->escapeHtml($block->getExtendStoreUuid()) ?>" name="extend_store_id" id="extend_store_id" maxlength="36" disabled />
                             </div>
                         <?php endif; ?>
                     </div>
@@ -73,7 +76,7 @@ $showTimeline = $status !== 4 && $status !== 3;
 <?php else: ?>
     <?php if ($status === 3): ?>
         <p>The Extend integration could not be found for the given store. Usually in this case an integration was selected and then deleted. Please
-            go to the <a href="<?= $block->getDefaultScopeUrl() ?>">Extend Settings</a> page and select a new integration.
+            go to the <a href="<?= $escaper->escapeUrl($block->getDefaultScopeUrl()) ?>">Extend Settings</a> page and select a new integration.
         </p>
     <?php elseif ($status === 4): ?>
         <p>Error retrieving the Extend integration for the given store.</p>

view/adminhtml/templates/system/config/integration-status.phtml

@@ -1,3 +1,7 @@
+<?php
+/** @var $block \Extend\Integration\Block\Adminhtml\Integration\Edit\Tab\HowToActivate */
+/** @var $escaper \Magento\Framework\Escaper */
+?>
 <div id="extend-integration-status">
   <!-- Alert will initialize in a hidden state until needed -->
   <div id="extend-alert-container" class="extend-alert extend-hidden">
@@ -19,7 +23,7 @@
         <ul>
           <li>
             Go to
-            <a href="<?= /* @noEscape */ $this->getIntegrationUrl(); ?>"
+            <a href="<?= $escaper->escapeUrl($block->getIntegrationUrl()); ?>"
               >integration settings</a
             >.
           </li>
@@ -121,19 +125,19 @@
   </div>
 </div>
 
-<?php if ($integrations = $this->getIntegrations()): ?>
+<?php if ($integrations = $block->getIntegrations()): ?>
   <script type="text/x-magento-init">
     {
       "#extend-integration-status": {
         "activationStatus": [
           <?php foreach ($integrations as $key => $integration): ?>
             {
-              "currentStep": "<?=$integration['current_step']?>",
-              "identityLinkUrl": "<?=$integration['identity_link_url']?>",
-              "integrationId": "<?=$integration['integration_id']?>",
-              "integrationName": "<?=$integration['integration_name']?>",
-              "oauthActivatedAt": "<?=$integration['oauth_activated_at']?>",
-              "prevActivationFailed": "<?=$integration['prev_activation_failed']?>"
+              "currentStep": "<?= $escaper->escapeJs($integration['current_step']) ?>",
+              "identityLinkUrl": "<?= $escaper->escapeJs($integration['identity_link_url']) ?>",
+              "integrationId": "<?= $escaper->escapeJs($integration['integration_id']) ?>",
+              "integrationName": "<?= $escaper->escapeJs($integration['integration_name']) ?>",
+              "oauthActivatedAt": "<?= $escaper->escapeJs($integration['oauth_activated_at']) ?>",
+              "prevActivationFailed": "<?= $escaper->escapeJs($integration['prev_activation_failed']) ?>"
             }<?= array_key_last($integrations) === $key ? '' : ',' ?>
           <?php endforeach; ?>
         ]

view/adminhtml/templates/system/config/recreate_pp_product.phtml

@@ -6,12 +6,13 @@
 
 /** @var \Extend\Integration\Block\Adminhtml\System\Config\RecreatePPProduct $block */
 /** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */
+/** @var $escaper \Magento\Framework\Escaper */
 ?>
-<?php $buttonUrl = $block->escapeJs($block->getButtonUrl()); ?>
+<?php $buttonUrl = $escaper->escapeJs($block->getButtonUrl()); ?>
 <div class="actions actions-recreate-pp-product">
     <p class="admin__field-error hidden" id="validation_result"></p>
     <button class="action-recreate-pp-product" type="button" id="<?= /* @noEscape */ $block->getHtmlId() ?>">
-        <span><?= $block->escapeHtml($block->getButtonLabel()) ?></span>
+        <span><?= $escaper->escapeHtml($block->getButtonLabel()) ?></span>
     </button>
 </div>
 <?= /* @noEscape */ $secureRenderer->renderTag('style', [], '#validation_result {margin-bottom: 10px;}', false); ?>

view/frontend/templates/cart/item/renderer/actions/product-protection-simple-offer.phtml

@@ -1,4 +1,6 @@
 <?php
+/** @var $block \Magento\Checkout\Block\Cart\Item\Renderer\Actions\Generic */
+/** @var $escaper \Magento\Framework\Escaper */
 
 /** @var \Magento\Quote\Model\Quote\Item $_item */
 $item = $block->getItem();
@@ -33,23 +35,23 @@ $sanitizedProductSku = preg_replace('/[^a-zA-Z0-9-_|]/', '',  $productSku);
 
 <?php if ($shouldRender) : ?>
   <div>
-    <div class="product-protection-offer" id="product_protection_offer_<?= $sanitizedProductSku ?>"></div>
+    <div class="product-protection-offer" id="product_protection_offer_<?= $escaper->escapeHtml($sanitizedProductSku) ?>"></div>
   </div>
   <script type="text/x-magento-init">
     {
-        "#product_protection_offer_<?= $sanitizedProductSku ?>": {
+        "#product_protection_offer_<?= $escaper->escapeJs($sanitizedProductSku) ?>": {
             "simpleProductProtectionOffer": [
                {
-                        "extendStoreUuid": "<?= $block
+                        "extendStoreUuid": "<?= $escaper->escapeJs($block
                                               ->getData('viewModel')
-                                              ->getExtendStoreUuid() ?>",
-                        "activeEnvironment": "<?= $block
+                                              ->getExtendStoreUuid()) ?>",
+                        "activeEnvironment": "<?= $escaper->escapeJs($block
                                                 ->getData('viewModel')
-                                                ->getActiveEnvironment() ?>",
-                        "selectedProductSku": "<?= $product->getSku() ?>",
-                        "selectedProductPrice": "<?= $product->getPrice() ?>",
-                        "productCategory": "<?= $categoryName ?>",
-                        "currencyCode": "<?= $currencyCode ?>"
+                                                ->getActiveEnvironment()) ?>",
+                        "selectedProductSku": "<?= $escaper->escapeJs($product->getSku()) ?>",
+                        "selectedProductPrice": "<?= $escaper->escapeJs($product->getPrice()) ?>",
+                        "productCategory": "<?= $escaper->escapeJs($categoryName) ?>",
+                        "currencyCode": "<?= $escaper->escapeJs($currencyCode) ?>"
                     }
             ]
         }

view/frontend/templates/cart/minicart-simple-offer.phtml

@@ -3,6 +3,10 @@
  * Copyright Extend (c) 2023. All rights reserved.
  * See Extend-COPYING.txt for license details.
  */
+
+/** @var $block \Magento\Framework\View\Element\Template */
+/** @var $escaper \Magento\Framework\Escaper */
+
 $viewModel = $block->getData('viewModel');
 $extendStoreUuid = $viewModel->getExtendStoreUuid();
 $activeEnvironment = $viewModel->getActiveEnvironment();
@@ -18,9 +22,9 @@ $shouldRender = $viewModel->isExtendProductProtectionEnabled() && $viewModel->is
         "#extendMinicartSimpleOffer": {
             "minicartSimpleOffer": [
                 {
-                    "extendStoreUuid": "<?= $extendStoreUuid ?>",
-                    "activeEnvironment": "<?= $activeEnvironment ?>",
-                    "currencyCode": "<?= $currencyCode ?>"
+                    "extendStoreUuid": "<?= $escaper->escapeJs($extendStoreUuid) ?>",
+                    "activeEnvironment": "<?= $escaper->escapeJs($activeEnvironment) ?>",
+                    "currencyCode": "<?= $escaper->escapeJs($currencyCode) ?>"
                 }
             ]
         }

view/frontend/templates/catalog/product/view/aftermarket-product-protection-modal-offer.phtml

@@ -1,12 +1,12 @@
 <?php
+/** @var $block \Magento\Framework\View\Element\Template */
+/** @var $escaper \Magento\Framework\Escaper */
+
 $viewModel = $block->getData('viewModel');
 
 $extendStoreUuid = $viewModel->getExtendStoreUuid();
 $activeEnvironment = $viewModel->getActiveEnvironment();
-
-$leadToken = $escaper->escapeHtml($escaper->escapeJs($viewModel->getLeadTokenFromUrl()));
-$viewModel = $block->getData('viewModel');
-
+$leadToken = $viewModel->getLeadTokenFromUrl();
 $currencyCode = $viewModel->getCurrencyCode();
 $isCurrencySupported = $viewModel->isCurrencySupported();
 
@@ -19,10 +19,10 @@ $shouldRender = $viewModel->isExtendProductProtectionEnabled() && $viewModel->is
           "*": {
               "aftermarketProductProtectionModalOffer": [
                   {
-                      "extendStoreUuid": "<?= $extendStoreUuid ?>",
-                      "activeEnvironment": "<?= $activeEnvironment ?>",
-                      "leadToken": "<?= /* @noEscape */ $leadToken ?>",
-                      "currencyCode": "<?= $currencyCode ?>"
+                      "extendStoreUuid": "<?= $escaper->escapeJs($extendStoreUuid) ?>",
+                      "activeEnvironment": "<?= $escaper->escapeJs($activeEnvironment) ?>",
+                      "leadToken": "<?= $escaper->escapeJs($leadToken) ?>",
+                      "currencyCode": "<?= $escaper->escapeJs($currencyCode) ?>"
                   }
               ]
           }

view/frontend/templates/catalog/product/view/product-protection-modal-offer.phtml

@@ -1,4 +1,7 @@
 <?php
+/** @var $block \Magento\Catalog\Block\Product\View */
+/** @var $escaper \Magento\Framework\Escaper */
+
 $viewModel = $block->getData('viewModel');
 $categoryModel = $block->getData('categoryModel');
 
@@ -26,19 +29,19 @@ $shouldRender = $viewModel->isExtendProductProtectionEnabled() && $viewModel->is
 ?>
 
 <?php if ($shouldRender) : ?>
-  <div class="product_protection_modal_offer" id="product_protection_modal_offer_<?= $sanitizedProductSku ?>"></div>
+  <div class="product_protection_modal_offer" id="product_protection_modal_offer_<?= $escaper->escapeHtml($sanitizedProductSku) ?>"></div>
 
   <script type="text/x-magento-init">
     {
-          "#product_protection_modal_offer_<?= $sanitizedProductSku ?>": {
+          "#product_protection_modal_offer_<?= $escaper->escapeJs($sanitizedProductSku) ?>": {
               "productProtectionModalOffer": [
                   {
-                      "extendStoreUuid": "<?= $extendStoreUuid ?>",
-                      "activeEnvironment": "<?= $activeEnvironment ?>",
-                      "productSku": "<?= $productSku ?>",
-                      "productPrice": "<?= $productPrice ?>",
-                      "productCategory": "<?= $categoryName ?>",
-                      "currencyCode": "<?= $currencyCode ?>"
+                      "extendStoreUuid": "<?= $escaper->escapeJs($extendStoreUuid) ?>",
+                      "activeEnvironment": "<?= $escaper->escapeJs($activeEnvironment) ?>",
+                      "productSku": "<?= $escaper->escapeJs($productSku) ?>",
+                      "productPrice": "<?= $escaper->escapeJs($productPrice) ?>",
+                      "productCategory": "<?= $escaper->escapeJs($categoryName) ?>",
+                      "currencyCode": "<?= $escaper->escapeJs($currencyCode) ?>"
                   }
               ]
           }